github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2ece9e4dec
kubernetes/hack
History
Kubernetes Submit Queue 15f0468986 Merge pull request #44895 from dcbw/iptables-restore-manual-locking 
Automatic merge from submit-queue

util/iptables: grab iptables locks if iptables-restore doesn't support --wait

When iptables-restore doesn't support --wait (which < 1.6.2 don't), it may
conflict with other iptables users on the system, like docker, because it
doesn't acquire the iptables lock before changing iptables rules. This causes
sporadic docker failures when starting containers.

To ensure those don't happen, essentially duplicate the iptables locking
logic inside util/iptables when we know iptables-restore doesn't support
the --wait option.

Unfortunately iptables uses two different locking mechanisms, one until
1.4.x (abstract socket based) and another from 1.6.x (/run/xtables.lock
flock() based).  We have to grab both locks, because we don't know what
version of iptables-restore exists since iptables-restore doesn't have
a --version option before 1.6.2.  Plus, distros (like RHEL) backport the
/run/xtables.lock patch to 1.4.x versions.

Related: https://github.com/kubernetes/kubernetes/pull/43575
See also: https://github.com/openshift/origin/pull/13845
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1417234

@kubernetes/rh-networking @kubernetes/sig-network-misc @eparis @knobunc @danwinship @thockin @freehan
2017-05-06 15:17:21 -07:00
..
boilerplate Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
cmd/teststale
e2e-internal Split federation-{up,down} from e2e-{up,down}. 2017-02-24 14:27:31 -08:00
gen-swagger-doc change the relative links to definition in operations.html to satisfy the new path set in the kubernetes.io 2016-07-29 13:29:34 -07:00
jenkins Export patch files to artifacts 2017-03-25 12:16:50 -07:00
lib wire new staging repo 2017-05-02 08:43:31 -04:00
make-rules Merge pull request #45429 from pmichali/issue45425 2017-05-05 17:32:35 -07:00
testdata Remove vestiges of defaulting from conversion path, switch to top-level default registration only 2017-04-12 13:36:15 -04:00
verify-flags add subresource support to kube auth can-i 2017-05-02 12:08:20 +08:00
.linted_packages add integration tests 2017-05-05 10:50:03 -04:00
autogenerated_placeholder.txt
benchmark-go.sh unify newline format for benchmark-go.sh 2016-12-10 01:15:30 -08:00
BUILD Add verify-gofmt as a Bazel test. 2017-02-10 17:00:28 -08:00
build-cross.sh Make releases work 2016-07-12 21:52:54 -07:00
build-go.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
build-ui.sh move swagger route to apiserver 2017-02-01 15:18:32 -05:00
cherry_pick_pull.sh hack/cherry_pick_pull.sh: cleanup patch files 2016-12-14 14:33:17 -08:00
dev-build-and-push.sh hack/dev-build-*: Run dev build instead of release build 2016-12-15 10:35:16 -07:00
dev-build-and-up.sh hack/dev-build-*: Run dev build instead of release build 2016-12-15 10:35:16 -07:00
dev-push-hyperkube.sh Rename build-tools/ back to build/ 2016-12-14 13:42:15 -08:00
e2e_test.go hack/e2e_test.go's tester shouldn't stat files from the future 2017-02-15 15:59:47 -08:00
e2e-node-test.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
e2e.go Convert hack/e2e.go to a test-infra/kubetest shim 2017-02-02 17:42:46 -08:00
federated-ginkgo-e2e.sh Default FEDERATION_KUBE_CONTEXT to FEDERATION_NAME in federation e2e up/down scripts. 2017-04-05 18:47:03 -07:00
generate-bindata.sh Run bindata generation from KUBE_ROOT 2017-01-10 14:28:19 -05:00
generate-docs.sh Move .generated_docs to docs/ so docs OWNERS can review / approve 2017-02-16 10:11:57 -08:00
get-build.sh
ginkgo-e2e.sh e2e test: test azure disk volume 2017-04-28 18:51:34 +00:00
godep-restore.sh hack/godep-restore.sh: use godep v79 which works 2017-03-12 18:43:10 +01:00
godep-save.sh wire new staging repo 2017-05-02 08:43:31 -04:00
grab-profiles.sh Make all useage of sort deterministic 2016-10-20 16:47:20 -04:00
install-etcd.sh
list-feature-tests.sh Make all useage of sort deterministic 2016-10-20 16:47:20 -04:00
local-up-cluster.sh Merge pull request #44895 from dcbw/iptables-restore-manual-locking 2017-05-06 15:17:21 -07:00
lookup_pull.py
OWNERS Add shashidharatd and madhusudancs as hack/ approvers. 2017-04-07 08:33:26 -07:00
print-workspace-status.sh Use munged semantic version for side-loaded docker tag 2017-04-27 15:05:40 -07:00
run-in-gopath.sh Allow make to run from outside GOPATH 2016-07-15 08:42:12 -07:00
test-cmd.sh fix hack/test-cmd 2016-08-02 10:27:29 -04:00
test-go.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
test-integration.sh hack/test-integration.sh: provide a recommended command and exit 2017-02-17 08:44:49 -08:00
test-update-storage-objects.sh Update clusters to use 3.0.17 etcd 2017-02-23 10:08:50 +01:00
update_owners.py updated test owner generation script to add sig column 2017-02-03 12:41:47 -08:00
update-all.sh hack/cluster: consolidate cluster/ utils to hack/lib/util.sh 2017-03-30 22:34:46 -05:00
update-api-reference-docs.sh update generation bash to handle vendor dir 2017-01-17 09:06:34 -05:00
update-bazel.sh Update gazel to v17 2017-04-27 15:01:34 -07:00
update-codecgen.sh enable generation 2017-03-27 09:56:26 -04:00
update-codegen.sh wire new staging repo 2017-05-02 08:43:31 -04:00
update-federation-api-reference-docs.sh update generation bash to handle vendor dir 2017-01-17 09:06:34 -05:00
update-federation-generated-swagger-docs.sh update generation bash to handle vendor dir 2017-01-17 09:06:34 -05:00
update-federation-openapi-spec.sh genericapiserver: move MasterCount and service options into master 2016-12-16 17:23:43 +01:00
update-federation-swagger-spec.sh Federation does not generate swagger spec correctly 2017-01-06 23:45:04 -05:00
update-generated-docs.sh Move .generated_docs to docs/ so docs OWNERS can review / approve 2017-02-16 10:11:57 -08:00
update-generated-protobuf-dockerized.sh spell check for test/* 2016-12-14 06:03:00 -08:00
update-generated-protobuf.sh Rename build-tools/ back to build/ 2016-12-14 13:42:15 -08:00
update-generated-runtime-dockerized.sh CRI: use more gogoprotobuf plugins 2017-01-25 13:52:24 -08:00
update-generated-runtime.sh Rename build-tools/ back to build/ 2016-12-14 13:42:15 -08:00
update-generated-swagger-docs.sh update generation bash to handle vendor dir 2017-01-17 09:06:34 -05:00
update-godep-licenses.sh make godep licenses/copyright check case insensitive 2016-10-24 18:00:08 -07:00
update-gofmt.sh hack/*.sh: re-add staging dirs to verify+update scripts 2017-02-17 08:51:31 +01:00
update-openapi-spec.sh Fix race in service IP allocation repair loop 2016-12-26 21:59:27 -08:00
update-staging-client-go.sh Use "hack/godep-restore.sh" instead of godep restore 2017-03-28 04:05:47 -04:00
update-staging-godeps.sh move metrics to staging 2017-05-01 16:43:50 -07:00
update-swagger-spec.sh wire in aggregation 2017-03-27 09:44:10 -04:00
update-translations.sh Extract a bunch more strings from kubectl 2017-04-06 20:12:50 -07:00
verify-all.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
verify-api-groups.sh add script to check for updates to the files for generation 2016-11-01 15:59:50 -04:00
verify-api-reference-docs.sh
verify-bazel.sh Update gazel to v17 2017-04-27 15:01:34 -07:00
verify-boilerplate.sh Add a build rule for the boilerplate unit test. 2017-01-01 22:54:32 -08:00
verify-cli-conventions.sh Tools for checking CLI conventions 2016-10-17 11:50:02 -02:00
verify-codecgen.sh add apiregistration types 2016-12-06 13:45:10 -05:00
verify-codegen.sh wire new staging repo 2017-05-02 08:43:31 -04:00
verify-description.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
verify-federation-openapi-spec.sh Add verify script federation OpenAPI spec generation 2016-11-07 02:41:50 -08:00
verify-flags-underscore.py ignore BUILD in the flags-underscore.py validation 2016-10-21 17:32:33 -07:00
verify-generated-docs.sh Move .generated_docs to docs/ so docs OWNERS can review / approve 2017-02-16 10:11:57 -08:00
verify-generated-protobuf.sh Verify generated protobuf script should fail on staging/ changes too 2017-03-15 16:15:02 -07:00
verify-generated-runtime.sh add update-staging-client-go.sh and verify-staging-client-go.sh; 2016-10-29 14:20:39 -07:00
verify-generated-swagger-docs.sh docs generation: Use macos compatible copy method 2016-10-18 11:11:03 +02:00
verify-godep-licenses.sh
verify-godeps.sh Export patch files to artifacts 2017-03-25 12:16:50 -07:00
verify-gofmt.sh hack/*.sh: re-add staging dirs to verify+update scripts 2017-02-17 08:51:31 +01:00
verify-golint.sh hack/verify-golint: enforce cleanup of old packages 2017-01-24 08:34:06 +01:00
verify-govet.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
verify-import-boss.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
verify-linkcheck.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
verify-openapi-spec.sh verify-openapi-spec.sh should not ignore extra file in the spec folder api/openapi-spec 2016-11-01 01:13:11 -07:00
verify-pkg-names.sh move metrics to staging 2017-05-01 16:43:50 -07:00
verify-readonly-packages.sh hack/*.sh: re-add staging dirs to verify+update scripts 2017-02-17 08:51:31 +01:00
verify-staging-client-go.sh hack/verify-staging-client-go.sh: fail on changes 2017-02-27 14:11:41 +01:00
verify-staging-godeps.sh update-staging-{client-go,godeps}.sh: no godep-restore, pin godep, check workdir 2017-02-25 22:38:23 +01:00
verify-staging-imports.sh hack/verify-staging-imports.sh: check that plugins are not imported by default 2017-03-12 19:51:31 +01:00
verify-swagger-spec.sh Use make as the main build tool 2016-07-12 21:52:00 -07:00
verify-symbols.sh spell check for test/* 2016-12-14 06:03:00 -08:00
verify-test-images.sh Make all useage of sort deterministic 2016-10-20 16:47:20 -04:00
verify-test-owners.sh Disable verify-test-owners.sh and make go vet more obvious 2016-12-21 11:44:04 -08:00